iptables - allowing access to only a single port on different subnet

Turnspit

11/6/22, 7:46 AM

I've got a OpenVPN server up and running, currently allowing to route all traffic between the VPN (10.8.0.0/24) and the LAN (192.168.2.0/24) network. My iptables look as follows:

iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s '10.8.0.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.2.26
iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.8.0.1

192.168.2.26 & 10.8.0.1 are the interfaces on the VPN-Server.

I am now looking to narrow it quite a bit down and allow only specific target for specific users. One example:

I want the user with the IP 10.8.0.10 to only have access to 192.168.2.100 on port 8080, and nothing else in the LAN subnet. After tons of googling I tried some wild combinations of SNAT and DNAT, but didn't find the solution.

How can I implement the above scenario?

139

1 + 0

routing

iptables

openvpn

port-forwarding

Score:1

Server

Turnspit

11/9/22, 4:53 AM

So I've found a solution for my problem, should anyone be in need and stumble upon this:

I ditched iptables and went for ufw.

/etc/sysctl.conf:

net.ipv4.ip_forward=1

/etc/default/ufw:

DEFAULT_FORWARD_POLICY="DROP"

/etc/ufw/before.rules:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic between OpenVPN and LAN
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0 -o tun0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

This way everything is setup for routing and forwarding, without forwarding anything as of yet due to the default "drop" policy.

To route the single IP to a Port on another IP of a different subnet as described in the question, I simply needed to run the following ruleset:

sudo ufw route allow in on tun0 out on eth0 to 192.168.2.100 proto tcp port 8080 from 10.8.0.10

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: iptables - allowing access to only a single port on different subnet

TH: iptables - อนุญาตให้เข้าถึงเพียงพอร์ตเดียวบนเครือข่ายย่อยที่แตกต่างกัน

RO: iptables - permițând accesul la un singur port pe o subrețea diferită

RU: iptables - разрешить доступ только к одному порту в другой подсети

VI: iptables - chỉ cho phép truy cập vào một cổng duy nhất trên mạng con khác nhau

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.